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Profile Matching with Applications in 
Biometrics and Physical Random Functions 



Marten van Dyk* 
Philips Reseavd Iiaboiatocies 



Abstract. We confer the problem of secret agreement between 
two legitimate users whose profiles match snffidenUy. We give practical 
Mlotions bMed on Reed-Solomon (RS) codes and one-way functions. 
Wo prove their security and analyse the leakage ot information to an 
^vorsaiy who has at most a given finite amount of computational power. 
Wo show how biometrics and pbyrical random functions can malce use of 
thew solutions. In particular, both an optical physical random function 
with a post-hash and a silicon pbysical random {unction can be made 
reuable and provable secure. 



1 Introduction 



In this paper we address the following situation (see also Maurer PkI91,M931): 
~ S^J* t ^ ^"'^ 8ives profiles to different principals. 

~ 2JhT?^* K.^^'^^fi?* ^."^i** ^ "^^^ to share a secret toy i<- with 
S2L S is dose enough to Alice's profile A, that Is, if the 

Sfr^ 5^ « *^ a «rtain threshold. The protocol may use public 

(broadcast) communication. -v yuum. 

- The protocol should provide avOunticity in the sense that 

• >Uioe knows thi^ any person with whom she successfully shared a secret 
toy has knowledge of a profile which is close to her profile, and 

• Bob knows that any person who is successfuUy sharing a secret key with 
tarn has knowledge of a profile whldi is dose to his profile 

~ , ^® ^ anyone (Eve) who obtained 

a proMe (S) from P with large distance to A should only obtain a negligible 
amount of information about K. » w^ugiDie 

SirSlf ^^^'vJ t^'^'^ '""'"^ information between X and ^ 

«ia» th« Situation .s hke U,e example in |M91,M93] where the pl^sical system 

fhS^^m ^ * '^'^ broadcasting a random binary strii xZ^^ 

the profiles ar e noisy versions of received by ABoe, Bob; Eve. Ld oSsJ 

* !SSL>1^*i?i5f Computer Science and Artificial Intelligence laboratonr 

(CSAIL). 200 ^technology Square. Cambridge. USA. Email: marteaamit.edu. 



If we allow the security to be based on a computaUoaaHy difficult problem, 
tben a steaightforward solution is to Hrst use public communication to set up a 
secure channel between Alice and Bob and to share a secret key K (security), for 
example by using Shamir's no-key algorithm (MvOV96], and secondly to use the 
seoire channel for a proWe matching protocol (authenticity}, that is a motocd 
which convinces both Alice and Bob that their proBles sufficiently match. Wfe 
vm allow computational secutitjr, but our goal is to design an efficient solution 
where security and authentidty are simultaneously adiieved. 

We give s first solution based on Reed-Solomon (RS) cod^ in Section 3.1 and 
prove Its security. Even though the fuzzy commitment sdieme rjW99] has lots 
m common, we show that it is in general less secure. In Section 3.2 we introduce 
a tecbn^ue to use a one-way function to create an erasures channeL This leads 
to a perfect scheme' in the sense that one is either able to reconstruct the toy 
if or does not obtain any information about K. The solutions presented so for 
only require a single pubUc communication from Alice to Bob. In Section 3.4. 
we eqjlain how in combination with a one-way function public feedbadc fron^ 
Bob to AJice can be used. This leads to a simple scheme in which a minimal 
amount of mformation is leaked by Alice and Bob to one another and to others. 
The sdu^ also ofibrs the possibility to match unordered sets, which leads to 
a more efficient sdieme tiian the one published in [JS02]. 

L» Seciton 4 we des«xibe the relationship wiOi unconditional secure key gener- 
atton (see for example [CK78,M93,AC93]). In particular we prove a relation 
between the entropy of Eve about the secret key K and tiie amount of comput- 
mg power of Eve if one-way functions are used. In Section 5, we analyze erplidt 
fflcamples and we show how the parameters of the RS code in our solutians can 
be computed. 

In Section 6.1 we expWn an application towards Utometrics IDT031. Li Section 
6.2 we discuss phyidcal random fimctions and we show how our solutions for 
protUe matchmg make physical random functions rdiable and secure. 

2 Model 

We are interested in the model of Figure 1. A physical system P gives a profile 
A to Ahaa and a profile B to Bob. We address tiie problem of how Alice can use 
l^J^ * key Jf to Bob such that Bob can only recover 

fh„ !!!f*^™^^ "^"^ ^f^^"^'^ P"®®- ^ ^ '^^>^) is Anyone (Eve) 

who obtained a profile {E) from P witi» large distance to X can onhr obtoin a 
negligible amount of information about K. Summariaqg, 

, [d(A,B) small iiC can be recovered fixun (/,B)J 

and 



Vg [d{A, E) la r^ =*. it is tofeasible to obtain from (/,S) information about jq 
* Perfect as in perfect secret sharing schemes. 



Notice that these requirements are not formulated by using concepts from infor- 
mation theory. This is because we aUow the security to be based on a computar 
tionaMy difficult problem. In particular, we will use a one-w^ (hash) function^ 
If we remain in the information theoretical setting and if we define the 
distance d{A,S) to be the mutual information I(A;B) between A and B then 
we are in the situation of [M91,M93]. 




K 



d(A,B) small 
d(A, E) large 



Fig. l« Profile matching model. 



As soon M Bob has recovered a secret key IT, he needs to convince himself 
« r • = X') should imply that his profile is close to AHce's 

I«ofile (inequaHty should hnply that Bob's proffle, just like Eve's profile, has a 
terge distance to Alice's profile and that K' does not reveal informaUon about 
X). As m operating systems, which store hashes of passwords instead of storine 
pa^words ejqjlidtly [PK89,MT79], a straightforward solution is to include A(in 
m /, which M a commitment of K. If Bob's profile is close to Alice's profile 
then K = K' and h(K) = h(K'). If his profile has a large distance to A then, 
aaording to our requirements. JC^K'aiid h(K) ft h(K'). Of course a simple 
CRC dieck instead of a on^-way fonction A(.) suffices fbt tUs purpose. However, 
a CRC dieA of K reveals information about JST to any Eve who receives / over 
the public channd ficom Alice to Bob. 

As smm as Alice and Bob share a secret key, they can use this key in cryptog- 
n«I*y pnmitiTOs to exchange sensitive data. Of course AHce and Bob only kn(^ 
that their ^files match enough. They do not necessarily know who the other 
person is. Often Alice or Bob only require that the other person is legitimate 
m the sense that then- profiles match and that one of them is physically linked 
to the Physic al system P. For example in the biometrics appUcation of Section 

* A one-way fonction is a function such that for each » in the domain of h. It ia 
T? »»«t for essentiaUy aU y in tlie range of A, itls computatit^ 

infeasiWe to find any as such that y = lMvOV96J. 



6-1 the Physical system P is a device which measures Alice's fingerprint. In the 
smartcard application of Section 6.2 the smartcacd plays the role of Bob and 
contains the physical system P. 



3 Efficient Protocols 
Let 



i4 = (oi,...,a„), -B = (6i,,..,6n). and£7 = (ei,...,c„) 

be ^e profiles of Alice, Bob, and Eve. In this section we present solutions for 
profile matching where we use the WaTnti^jng distance, 

dH(A,B) = Ki : a< ^ 6,}| and dM(A,E) = \{i : ^ e^}). 
3.1 A Solution using RS codes 

See Figure 2, Alice wants to share the if = (itfi,., .,lir^) ^th Bob. lb this 
purpose Alice uses an 

[n + A: + d-l,n + &,d] 

Reed-Solomon (R5) code^ over <7jr(g) (this requires « « 1 > n + A + d - 1). The 
RS code IS systematic which means that any n+* positions form an hiformatlon 
set T^e immmum distance is equal to d, in particular this implies that any 
set of d - 1 erasures^ can be corrected. This also foUows from the fact that the 
non-arasure positions form an informalaon set. This means that Alice is able to 
encode the n + k positions 

{K I , . . . , Kf^ , Ol , . . . , On) 

into a RS code word 

The entries p< axe called parities and are transmitted by Alice to Bob. 
Bob uses the d - 1 parities to construct the vector 

(?,...,?, 6i, ... , 6fiiPi) • - - tPd-Ot 

the fet&aitriesarequestionmarlcs representing er^^ Compared to.the code 
word the constructed vector has k erasures and dniA, B) errors (a, 96 hi for 
dH{A,B) unk nown positions t). Since the RS code has minimum distance d, a 

^ 2th?RS £d^* +d- l.n+ 4 denotes length, dunen^on, and muUmum distance 

^ Eor each selection of entries at the positions in an information set there exists a 
unique corresponding code word. ^^wi » 

* Erasures ate positions for which no entry is rec^ved or computed. 



AUce: Ptofile -4 = (ai , oa, • . . , o„) 
Construct the RS code word 

Compute ff = h{K) « A(iiri, . . . , JCjfc). 




Bob! Profile B = 6a. . . . , 
r , 

I Use RS decoding to reconstruct i 
I W. The first k entxies of are | 

^ J 

Check h(K) s fi^ 



K 



Fig. 2. RS-Protocol; Pkofile matching by using a Reed-Solomon code. 

* + 2dir(AS)<d-i. 
This proves that Bob can reconstruct in particular if 

da{A, JB) < (d - 1 - fe)/2. (1) 

The more advanced (and less efficient) Guruswami-Sudan algorithm [GS991 re- 
constructs the code word W i£ © " iv^owj r©- 

dH{A,B) < (n + d ~ 1) V(n+<i~l)(n + A-l), 

For exainple, see Section 6, forn = 6794, d = 4157. and A = 442. the Guruswami- 

decodes up to dj,{AB) < 2073 whHe a classical errors-and- 
erawires decoding algorithm decodes up to d^{A, B) < (d - 1 ^ A;)/2 = 1857 

^ transmitted over a pubHc channel. This means that 
tne knowledge of Eve can be represented by the vector 

{?, • • ei,...,en,pi,-..,pj|^i). 



Tto prove that this vector does not contain any information about K, we show 
tnat this vector corresponds to each possible key equally likely. 

fA^m* ~ ^•'^o"* loss of generality, let the first ( s n — 

^ of ^ to the first i entries of A. Let us assume that given 

dH{A, E)=l, Eve's profile E ia rmifomay diatrOuted oner {X : dH{A,X\ = A. 
By our assumption on the distribution of ^, the last n - 1 entries of J? do not 
oontaHj any tofoimation about >!; to Eve, the last n-l entries of ^ are uniformly 
distributed. Suppose that 

k + n-dH(A,Ei + d-l = k + l+d-l<n + k 
or etpiivalently dM^, E)>d-1. Then there exists a code word 

= (iCi, . . . , JiCX, oi, . . . , oi, o{+i , . . . , ol,,!), , . . . ,Pj_,) 

for some o{+i,. because the positions outside o^. „ . . ..ol, are part of an 
mformation set. lb Eve. the last n - 1 entries of A are tJith u^ufonn probability 
. SS^U: • • t«oma that to Eve if is with uniform probability 

equal to K'. That is, Eve does not obtain any mformation about if if 

dH{A,E)>d-l (2) 

The io^Ucation also holds m the other direction. OI dj»(A in < M - 1 - fcU2 
Aen BvB can reoonstnict JiT and if (d - 1 - k)/2 < d«(A,.B) < d- 1 then Eve 
can reconstruct partial information about i»r.) »"«»*<vb 
Inequalities (1) and (2) prove the following lemma. 

I|«maM 1. Suppose that, given da(A,E) = t, Eve's profile E is uniformly dis- 
<nh.ted o«er {X : dBiA,X) = l). Then in the protocol in 8 there exists 

ot^'Z • ? J^* '^V^'f*'^* Kr={Ku....Kk) and Eve does not 
obttttn any tnformatton about K if and only ifd^A.B) < (djtlA.E) - k)/2. 

fJW^l WPQ'l^^'f* T ?°'*^™*'**o'» a»« taz^ commitment scheme in 
m99] for RS codes, which works as foUows. Alice uses an (n, n-d+1 +*, d-l-k] 
Reed^olomon (RS) code over GFiq) (this require q-l>n> n-d +1 + fc? 
SJ«f f systematic meaning thatanyn-d+l + * posiUons form an 
mformation set. Ahce chooses random entries Rt,..., Rn-^x and she encodes 

S^^^ ?^ ''^ilxf • transmits W+A to Bob. Bob constructs W+A-B. 
Noti^ that W and W+A-B agree on fi-d„iA, B) positions. By using an errois- 

By usmg a similar argument as befiwe, we want to prove that Eve does 
not obtafai any information about Jif if and only if Jb + n - dniA B)<n- 

1 1 ..■*'-f** > rf - 1. We need to be caxefuL Suppos^ that 

A is uniformly distributed. Then Eve can construct + ^ - ^ and dis^ 



W + AuidE wiOuntt losing any information about and in particular K 
(see Section 4 for more explanation). Eve does not know which and how many 
positions ia A and E match. We can prove that if dHU,B) > d-1 then 
for any = (K{,...,K't) there exists a code word W = (Kl IC \ 
such that + ^ - ^.JT') > d - 1. In this sense aid iri';ith* Uto 

corre^nding K and K> axe equaUy likely. However, we mjv Bad a list of M^' 
for which d^(W^ + A^B,W')is minimized. These may have a signiHcant 
probabdity to be equal to in which case infisrmation about K is Irated to 
^e The Gutuswand^dan algorithm [GS99] produces such lists". It is unclear 
n ^ commitment scheme Is in the profile matching 

S^t Beades the diflfetence in security, another difference with the protocol ii 
igUTB 2 IS that Alice transmits more symbols in GF{q). 

Both the fi«y commitment scheme and our constniction can be used with 
arbitrary codes. For example the code may be a multislimensional vector space 
ova the real numbers. In other words, the code words represent points in a 
Utoce. fa tlMS setting the construction of {JW99J leads to the quantized index 
modulation (QIM) method of [CWOl] used in watermarking 
n„*^f ^ '^^^'^ *^ assumption on the distribution ctB may 

^ T ^^^^ ^ *** Information about Khy 

usmg soft decision decodmg of RS codes lKV00,PV03,Km03] which is based 
^ hst decoding u developed hi (GS99]. The foUowing lemma ^ves a bound on 
Bro s knowledge for arbitrary distributions that describe how the profiles A, B 

^ are generated by the physical system P. 

^^2^ In the pntocol m Figure 2, Eve'a knowledge about the secnt K is 

I(KA,EP) < I(A;E) + H(P), 

SSf ?i ' ^ ? Wonnoffon between the profiles AandB and where 

s a - 1 ia the nkfortnatton contained in the parities. 

Proof. We derive 

liKAi BP) = ir(BP) - H(BPIKA) = H(BP) - (aiP\KA) + HiB\KAP)). 

Nodce that >"fj>»^quely defines the parity information described by P, hence. 

£ir'?;$i Z ^ 0^^"*^^^ KP^A^Etovn>s^ Markov chain, wWch imS 
that H{BIKAP) = H(E\A). By combining all equations, we obtk 

J(KA;BP) = HiBP) - H{E\A) = H(B) + H(P]E) - HiElA) 
= I(AiB) + H{PlB) < I(A;B) +H(P). 



*u ?^ 1 ^ lujifonnty distributed, let dB(A,B) = / be fixed, and suppose 
toat Eve 8 profile E is uniformly distributed over {X : dn(A,X) = I). Then 
/(^,£>j s n - 1 and fay Lemma 2, 

k + n- H{KA\EP) = ir(if A) - H{KAIEP) = J(JfX; ^P) ^ n - 1 + d - 1, 

f J > * + ' - (d - 1). This impUes that if / > d - 1 then 
H{KA\SP) and Alice and Bob can use JT and ^ to distill k symbols which 
are secret to Eve (who only knows B and P). This corresponds to Lemma 1 
Via^^j'^^ diatributions. Alice and Bob need to extend the protocol' in 
Hgure 2. In genera^ Ahoe and Bob cannot use JiT as a secret k»r. AUoe and Bob 
should compi^ A-A to s = H(KAiEP) > H(KA) - (I(A,E) + H(P)) secret 
SlSil^^r^ ^u"^. «^P>«fi«»*ton [C97]. Bar example, multiplicaUon with 
a laadom binary (k + n)xa matrix leads to a key of « bits about which Eve 
has ooty ««ll^e ta&rjnaaon ICH77]. Of course, Alice and Bob can also use a 
bash fimction [MvOV96]. 



3.2 A Perfect Protocol by using One-W^ ZWictions 

See Figure 3, we propose to use the one-way (hash) function M.) not only for 
a commitment towards JT but also to create an erasures channel as we wiU 

S ^ ^ ******* 

W«l)f--|A(On)). 

As we WiU see the one-way function A(.) in this vector is used to create an 
erasures channel. — »<w •>» 

the^** "^P"*®* W^). • • • . and compares A(a,) and h{bi). This leads to 

S={i: h(ai) = &(6,)} = {i : a, = bt}, 

where the second equality holds with overwhehning probability by the definitkm 
of on^w^ (hash) fimctions. Notice that |5| =n-dB(A,B). Ibeether with the 
d -1 panties which Bob received, he knows the entries of n - dWfA. P) -h d - 1 
ponbons m the code word W. The other positiomi are regarded as (^ures. By 
using erasures^mly decodhig Bob retrieves the whole code word if and only 
the known positions contain an hiibrmation set (any n + * positions), that is, 

da(A,B)Sd-l-k. (3) 
In particular. Bob reconstructs K. 

Eve n»ay also compare A(a,) and ft(e,). If th«y ate equal she knows that 
at = ci. If thv are not equal then she obtains at most a negligible amount 
2LZ^^if^'*°li' ?i ^ <>eflnition of one-way functions. Let us again 
ff 9^«en d^,B) = I, Eve's profile E U uniformly distributed over 
IaTu I' h V"^ ^V"^ proof leading to (2) shows that without usmg 
tfdH?^'^ knowledge of (A(«,). .... h(an)) Eve obtains information about K 



Alfce! Profile A =: (ai.aa, . . . ,a„) 

Compute k(ai), . . . , A(o„) 
Comptite = (A(Ji:,),...,A(irjk)). 

/ s= [.ff, A(aa) A(on),pi, . . . ,pd-i] 



^J7(il,B)<||-l-Jk 




Bob: Profile B = (6, , 63, , . . , fi^) 

I Compute s"{i7h(Q^ = J fc(6 J}- ^ 
Use erasures-only decoding to * 
reconstruct W. The first entry ' 

J 

Check (MiTi), . . . , A(K^fc)) = H 



K 



Fig. 3. H-Protocol: Profile matching based on a one-way function 

Let dH^,E) = d - 1, Without loss of generaUty, let the first / = n - d + 1 
entnes ot E be equal to the first / entries of A. Let JT' = (KL...,KL). Then 
there exists a unique code word \ i» t */ 

W^' = (i^^I I • . . lit^i, ai, . . . , ai, o{^.j , . . . , ajj.pi, , . . 

''''^^ form an information set (each set of 

OPte)) " * = ^ ^ information set). This defines the mapping (linear 

*(^') = (a{+,....,a;.). 

Notice that 

<P{A'} = (ai+i <^„) j=^K^K. 

^^^^T^ ^ «stnbution of E, the mapping <>(.) represents the 
tofomation about K given Eve's knowledge given by her profile i, the set of 

Suppose Uiat Eve has the computational power to perform up to M > 1 
evaluations of the one-w^ fanction h(.). We distinguish two cases. In the bst 



case, we assume that Eve is not bidky and only computes Ma!)*s Sat ai ^ a. 
Then Eve can compute at most » »- 



tuples (A(o|^.i) ft«)). Hence, Eve can exdude at most 2<'*-»)'»«» " possi- 
bilities for the secret keyK.IbB remaining possibilities for A" are all equaUy 
Ute^ This proves that information theoretically Eve gets a negji^ble amount 
of mformation about if tiw size of Jif is > (d - 1) log, M. Fbr example, if tiie 
size of Kal + ld-1) logj M bits then Eve obt^ 1 bit of information. 

M f^^^ «ase, we assume that Eve is ludqr and that she computes 
AC«»i) = Hat), hence, = oi. Let t = ) + 1 without loss of generaUty. Now 
the positions outside Kl,al+„...,ai, form an information set. This deSnes the 
mappmg 

«'h-i) == (iifi.oJ+2 <). 

Inparticidar, <fr'(iifi,...,Jft_,) = (JT*,...). In other words, Eve obtains log,o 
bits of mformation about K. (This also shows how Eve obtsuns partial inform 
mation about iif in the protocol based on RS codes if daiA-E) < 1) By 
our assumption on the distribution of E, tite probabiUiy that Eve compute 
«lOi) = «(oj) is at most M/q. This proves the fidlowing lemma. 

I|«mma 3. Suppose that given ds(A.£!) = J, Eve's pnfile E U wifmwiu dis- 
iTihuted over {X : dH{A,X) = I). Suppose that Eve has the computational power 
to perform up to M > 1 evaluations of the on&^ function h(.). log, M < 
logaj. nen. in the protocol m Ftgure S, then exists a distance d sudi ^ 
Bob canrwonstruet K = (Kx,... .K^) and Eve obtains, with pnbabUity at least 
ir 7a I?^' /** ^ ''^ ii^mnaiion about K if and only if da(A,B) < 
4^4,^!) -kandifthesizeo/K^(Ku....K0isatleastl + U-. 1) tog, M 

Since the secoritgr is based on tiie difficulty of inverting tiie one-way function 
ftl-;, tb^ IS no need for AVce and Bob to share a key witii more bits than 
ae number of input bits of the one-w^ function, hence. A = 1. If we assume 
uiat Eto Is not malicious (or over-curious) and Eve only tries tiie laotocol of 
Figure 3 to obtain the secret lif, then ilf = i. In this case Lemma 3 shows 
^ / ^ B^"? °Pf"^^ functions we can solve the profile matching problem if 
aH[.A, B) <dH{A, E). This is perfect (as to perfect secret sharing schemes) in the 
s«Ke t^t either one can reconstruct HT or one does not obtain aiqr taiformation 

In Section 4.3 we generalize Lemma 3 towards arbitrary distributions. 



3.3 Ciolluaioits 



We may extend our model and require that multiple Eve's may collude to obtain 
mformation about K. Even tiiough each Eve has a different profile witii a large 



RS-ProtOGol (Fig. 2): 

djf(i4,^)<(rf-l-ib)/2 
dH(A, B)>d-l 

|iir|=:A;iogag> noggAn 



li-Protocol (Pig. 3)i 

IK\ = k log^ g > (id - 1) log^ M] 



Tbble 1. Itestaictiio&s on the paiameters defining the pzotocol hased on RS codes and 
tJie protocol uaing one>way fonctions. 



^t^oe to A, together th^ may obtain aprofile with smaU distance to ^. In 
ti r^"^^ ^^"^ ^ comparing him) and /i(c.), each Kve finds out 
which of tiie entries in her profile are equal to the correspondhig entries in A 
As soon Bs a coDusion of Eve's obtains enough matching entries then they caii 
reconstruct K, 

3?** of ^e«« 2 offers sUghUy more security because only the 

paaUes of the code word W are revealed. However, by using list decoding rGS99l 
and by comparing the lists of most likely code words of each Eve^ the colhision 
Of Eye s may obtain a significant amount of infbnnation about K. 

Noti^ that in the H-Protocol of Figure 3 Alice may partly obfuscate the 
vector W«i;. - . . .A(On)) by using the technique of Figure 2. AUce encodes 
Wfli) A(an)) into a 

[n +2(d- l-k),n,2(d-l - ik) + 1] 

RScode word and transmits instead of ),-... A(a„)) the partties of the 
corresponding codeword to Bob. If du(A,B) < d - 1 - *, see (3), then Bob 
«n «a»w*n^ aJs RS code word, in particular the vector (A(o,),...,Wa„)). 
Smce ^ d~ 1, see (2). Eve does not obtain complet^ tobwled^ SJ^t 

3.4 Public Feedback Channel 

^J!^^ ^ communicate to Alice over the pubUc channel, then a more 
straightforward solution is possible. AUce computes 

J" =Wai ),..., /i(a„)], 
whidi she transmits to Bob. Bob computes the set 

S = {i : h(ai) = h{bi)} = {< : o« = 6,}, 

^SJl^c^'^A r ^i^- ^ ^""^ to share alc^ with anyone who knows 
OitOTte Sj then Alice transmits 



-fir + Hasli(oi : » € 5) 



to Bob. Bob computes Ha8h(6| : < € 5) = Ha8h(of : t e 5) and recovers K. lb 
avmd the last communication ficom AUce to Bob, Bob may choose the shared 
-fif and transmit K + Hash(a, : i € 5) together with S to AUce. who will 
then recover 

can reconstruct K if h{ei) = hioi) for ieS.U one of these do not match 
then Eve has mcomplete information about K. The amount of Eve's information 
about K depends on the compression factor of Hash, Eve's computational power 
M, and the statistics of the profiles iterated by the plqrslcal s^rstem. In Section 
5 we give examples. 

Notice that the proposed protocol is also a solution for profiles represented by 
sets uwtead of vectom (which represent ordered sets). Privacy-protected match- 
mg [JS02J and personal entropy systems [EHM+OOj are appHcations, Alice first 
represents her profile by an arbitrary vector (ax, . . . , o„). She transmits the cor- 
responomg J to Bob, who computes the set 

S = {< : 36€B lh((H) = h(b)]h 

Let bie B sudi that h{<H) = h{bi). Then 5 = {< : a, = bi) and the protocol 
proceeds as before. % »j 

Ob^ously the disadvantage of the new protocol is interaction between AKce 
and Bob. On the other hand, the advantages are 

- no RS encoding or decoding, 

- there are no parities to leak information about K to Eve, 

- AUce does not reveal her complete prdile to Bob (only the profile Bob has 
m common with AUce is obtained by Bob), 

" ^^.^if."".^ "^^^""^^ whether tiie profile of Bob has enough in common 
mth Alice's profile (represented by set S) to share a kQr, and 

- the profiles can be unordered sets mstead of vectors. 

Juds and Sudan [JS02] gave a solution for unordered sets without using 
a feedbadc cfaannd firom Bob to AUce. Tb ensure security they require what 
thqr can post randomization. In their solution Alice computes points (a. 0(0.)) 
where p(.) is a polynomial with K = p(0). AUce transmits these points in rkndom 
order interleaved with a lot of random potots {xuVi) (with the aji's distinct and 
imequal to any of the o^'s). The random pomts (m the order of 10* for profiles 
Of size 22) represent the post randomization. These are needed to keep Eve 
uncertain about the polynomial p(.). Bob is able to reconstruct p(.) by usins 
an errora-and-erasures RS decoding algorithm, see [JS02] for details. Although 
no feedback Aannd firai Afice to Bob is needed, the post randomization is a 
practical disadvantage. 



4 Unconditional Security 



In the current Hterature the problem is investigated how AUce and Bob can 
generate a secret k^ over a noisy channel in an unconditionally secure way. 



That IS, the secunty of the kqr does not rely on the amount of computiiw time 
and resources that are available when attempting to obtain informatioa about 
the secret key by unauthorized means. In particular, m are not allowed to use 
a one-way function. w «« usw 

As an example we assume that the pl^sical system gives 

- Alice a uniformly distributed binary vector A, 

- Bob a binary vector .B s ^ + 7^40, and 

- an adversary Eve a binary vector £ = A + iV^ + iVafT. 

The plvsical system generates the noise vector Nab with bit error probability p 
and the nou» vector Ngs with bit error probabUity q. This situation correspon<b 

to Wyner 8 wnre-tap channel in which an channels are binary gymmetric. If Alice 
wwits to transmit over the corresponding wire-tap channel, then she sends 
the pubhc menage A- -t- A to Bob (and Eve). Bob computes Y = (X + A) + 
y-A+iVAB) =X + NAjg and Eve computes Z = (JC + A) + (il + JVab + JVbb) = 
X + Nab + Nbb. Without loshig inCiKmataoa about X, both Bob and Bve may 
discard the previous messages and keep r and ^ respectively^. 

4.1 The Broadcast Channel with Confidential Messages 

Wyna's ^t^^^nadls a special case of the broadcast channel with confi- 
dential meaaages (BCC). The BCC was introduced by Csiszdr and Komer f CK781 
md generaU^ earHer models 1^ Wyner [WTSj and Komer and Marton fKM77i: 
» mvohres three partidpants: two legitimate users AUce (X) and Bob (V) and 
an enemy cr3T)tanalyst Eve {Z). Alice can communicate to Bob by using a dis- 
crete memorytess channel (DMC). It also produces side information to th^enemy 
SS'^ro hl*,?^' thta channel by ;f (y. Z). It is defined by Z 

tranaifaon probabiht.^ Py,z^x. Channel JST and the derived channels 

A- \^^^\ and ^ -* 2 (Pzijf) from AUce to Bob and from Alice to Eve 
are discrete and memoryless. The random variables X, r. and ^ are assumed 
to take values in finite sets. « « o«s oasumeo 

i„f A°'*'*'u.'*L?'lf*^ * "••^^ encodes k somce symbols K" 

^^^^^ ^ to the DMC A- -+ (y. Z). Bob produces ^estimate 

^^k^ °"**™* '^^ '^'^ AUce to Bob. The block error 
probability is defined as 

Pb = j4 Jf *). 

^l^??^/""*^'" characterized by a pair (Ji. A), where Ji is the ni*e 

at «iuch mformation is sent by AUce to Bob, i.e. 

f «' • Z ^ = ^WZ) because A is uaifonn|y distributed and statis- 

facaUy independent of X and Nab + Nas. 



and where is the enemy's per bit equivocaUon about this information, i 



The enemy's per bit equivocation A is the fracHon of the total information that 
Alice seeks to transmit to Bob which remains secret to Eve. 

Of course, AHce and Bob want Pb to be smaU, while keeping i2 and as 
laijge as possible. The rate^quivocation pair (r,rf), r > 0,tf > 0, is said to be 
achievable if, for all £ > 0, there exists an encoder-decoder pair such that Alice 
and Bob can use this pair to .generate a secret k^ at rate 

R>r^e 

while 
and 

-Pa < e. 

The eapacitsf region Is the set of all achievable rate-equivocation pairs. The se- 
mGy capacity is the supremum of all mformation rates at which AUce and 
Bob can generate a key that remains essentially entirely secret for Eve, i.e., it 
equals the supremum of informaUon rates r such that (r, 1) is achievable. 

Csiszir and Komer [CK78] characterized the capacity region in terms of in- 
formation theoretical expressions. In Wyner's model X, Y, and Z form a Markov 
chain X^Y^Z, that is Pr,z\x = Py\xPz\Y' Wyner proved that 

C. = xi^I{XiY\Z) for Pr^zix = Py\xPz\y^ (4) 

Massey (M83] gave a simplified treatment of Wyner^s wire-tap channel. Piret 
P80J showed that for Wyner's wirfr-tap channel (7, can be achieved by usmg 
binary Ihiear codes in the case where Jt-^yandK-*^are binary symmetric 
channels (he shows there exist binary linear codes without mving an exoHcit 
construction). o f 



4.2 The BOC with PubUc Discussion 

We generalize the BCC by allowing pubKc communication by Alice and 
.^"^P* *^ ^^cussion was introduced by Maurer in 

[M93] and by Ahlswede and Csiszdr in fAC93]. In the BCC with public discussion 
the eqmvocation is redefined as 

whae ^ jei^^nts the public communication between AUce and Bob. We notice 
tosrti m the definition of the information rate public communication plays no role. 
This is because pubKc transmissions are assumed to be very cheap compared to 
transmisdons over the channel X ^ {Y,Z). The new definition leads to the 



secrecy capacity xmih public discussion Cs> Clearly, C. < Cs which Is hi turn less 
than or equal to the capacity of the channel X -^Y. 

Ahlswede and Csisz^ found characterizations of the secrecy capaxAty in the 
restricted situation where only one pubUc message is aUowed to contain data. In 
the case where this pubUc message is sent from Alice to Bob the secrecy capacity 

caUed the forward kethcapacity and it appears to be equal to C,. Intuitively, 
this IS dear since Alice can not use any information sent by Bob in order to 
a)nstruct her pubHc message, simply because there are no messages sent by 
Bob to AUoe. Hence, the public message / contains only information about the 
selection of the n source bits X"". This information is transmitted to Bob and 
more important also to Bve. Hence, Alice and Bob are not allowed to use the 
part of information m X^ respectively K» which is dependent on J to extract 
a secret key. If they break this rule the secret key will depend on /, and Bve 
will obtain information about it. We conclude tiiat the public message has only 
a negative effect on Ahce's and Bob's situation. Not ushig a public message L 
better. This proves hituitively that the forward key capadl^r equals C,. Ifatiie 
case where the non-empty public messa^ is sent from Bob to Alice the secrecy 
capacity is called the backward key-eapacity, and its characterization is unknown 
In our example we deal with the forward-key capadiy. 

Fbr completeness, both Maurer [M93] and Ahlswede and Csiszdr rAC93l 
^. "^^^ bounded by /(X; Y]Z) maximized over all possible prob- 
abihty distributions . If AT, K, and Z form a Markov diain in someorder then 
quality hol^^^ Thus equally holds l£X^Y^Z, i.e. Py^^^^ « iV|A:Pz|y • or 

(m the last case /(^; Y\Z) = o). In particular, for Wyn^r^s whJSfp dSi^ (ij 

^^^l^t ^^"^ ^B{PY,^^x) is more generally upper bounded 

6y /(X; r|tr) maxunized over all possible probablUty distributions Px and P„iz 
where U is some random variable; ' 

^^^^7^"^^^"^ tS^.^^^ '^^^ P^^^^ discussion are intro- 

auced and discussed in [W99]. 

In the situation of the BCC with public discussion only upper bounds on C 
and no precise diaracterizations of are known. We refer to [C97,vD97XvTvD031 
for techmques about how to use pubKc communication (tiie construction require 
a lot of public interaction between Alice and Bob). 

Summarizing, in our example (Wyner's wire-tap channel witii bhiary sym- 
metric channels) j ojr*** 

= A2(p(l - g) + (1 - p)q) ^ h2(p), (5) 

^ere fe(a?) = -a? log^ (1 -a) log2{l ^x) denotes tiie bmary entropy function, 

^9 = 



which means that pubUc communication between Alice and Bob. in patticular 
from AUra to Bob, does not help. ' 

4.3 One-W<^ IWictions 

ABce and Bob are aUowed to base security on the assumption that Bve has 
finite computmg power, then th^ may use the following strategy. Alice transmits 
random vectors Xf of m bits each over Wyner's wire-tap diannel to Bob Bob 
receives the vectors K, with bit error probability p. Hence, the probabiUty' that 
A| = 1^ IS equal to 

(I-P)". (6) 
Eve receives vectors Z,, each bit of differs from the corresponding bit in K 
with bit error probability q. Alice transmits ft(^,) over the public cbanneL As 
soon as Bob receives a vector K, such that h(Xi) = A(y,), Alice and Bob agree 
on the secret JT = JTi = yj. ^ 

As so(m as AUce and Bob a^ on a secret kByK = Xi = Yi, Eve's knowledge 
about K IS giwm by Zt, h(Xt), and the information that X, and y, are cgiwi 
to one anoaier. If we assume that h(Xi) does not reveal any information about 
y - f <. then we may measure the security by the uncertainty of Y, given 

fniT^ "^^^ "^"^ Zi = Xt + NAB.i + iVBBj. Eve 

win pwform an exhaustive search among the most likely candidates for Bob's 
subvector y, = Jf, + Nab.i- That is, she needs to guess Nbba. The most likely 
candidates aiB the ones with lowest Hamming weight. On average the HanuiZg 
weight otNBB.i is equal to gm. This means that on average Bve needs to perform 
an ffldbaustive search among aU binary vectors of length m b> the sphere around 
toe an^ero vector and with radius «m. In this sense a security of bits means 
that the number of vectors in the sphere 



§ (7) - 

should be equal to a*". We conchide that 

mh£^ **** ^ ^ *^ ^ definition of securiiy is more 

""^ ^ ^riables iny andZ.LetU bea aet vAidi 

amaisU ofM dements in y and define 

V foryiU. 

2%en, 

HOr\Z = z,Sv(y)) > H{X\Z = - elofe M - fta(e), 

tBftere 



Proof, The proof is similar to the proof of JRano's inequality. We derive 

H(y\Z = ;s) = H(X,6u{Y)\Z = z) 

= mSu(Y)\Z = + HiY\Z = 6u{y)). (8) 

Define random variable 6 to be equal to 1 if Su(y) ^fc? and equal to 0 i£Su(Y) =?. 
Then 

H(Su(y)\Z = z) r= H(Sv(y),6\Z = z) 

= ir(tf|Z = 2) + JT(tfi,{K)|Z = i). (9) 

where 

H{6\Z = z) = ft2(P(fe(y) fi1\Z = a)) = Aa(e) (lo) 

and 

B(^On\Z = z,Si=P(Sz=Q\Z=: z)H{5a(y)lZ = z,S = 0) + 

P{s = i|2 = «)JEr(tfi/(y)|^ = z,d = 1). (11) 

Notice that 

H(s„(y)\z = = 0) = H(<yt,(y)i^ = z,5v(Y) =?) = o, (12) 

P(S = 1|^ = a) = J>(J„(y) ji7\z =. *) = e, (13) 

and 

«^(«tr(l')|^ = = 1) = ir(ffi,(K)|Z = *,*t,(K) ^?) 

< loga \U\ = logs M. (14) 

The oomUnatton of (8-14) proves the lemma. 

□ 

Corollary 1. LetY andZ be random variMea vAieh take values in fO. ll™ 
5»cft thatY ia mifomOy dtatrihOed and 

PB\Y(»\y) = ^»('>v)(i _ <,)"»-««»(..»), g ^ 1/2. 

Hien, 

^•(^^{y) #7|2 = < e = £ ( '?)«'(1 - «)"»-•* 

and 

-ff(K|Z = a,fo(K)) > {hiiq) - eAa(«))m - Aa(e). 



Proof. The probability P{Su{Y) ^?\Z = ^) is maximized by taking 1/ to be 
the sphere around z with radius um. Since AaC®) is monotone increasing for 
Q<x< 1/2, the corollary follows from Lemma 4. 

□ 

»Let us apply Corollary 1 to the situation of Eve. Suppose that ESve's comput- 
ing resources allow her to perform at most Af = 2*a<«)«, u < ^, evaluations of a 
me-way function hi.). Then she is able to construct a set U of size M for which 
Eve knows 6u(Yi). This means that if Kf 6 17 then Eve has full knowledge of 

^"^'^J^S.* ^ = ^M^i) =?) uncertainty 

about ri=Xi = K. Thus Eve's average uncertainty about K is equal to 

P{6u(Xi) ^l\Zi = Zi)H(Y^\Zi = zu6u(Yi) =?) = H(Xi\Zi - Zi,6u(Yi)). 
According to Corollary 1 this is at least 

s = (hjiq) - €h2(u)}m - h2(e). (is) 



where 

tim 

e 



tim / V 

-E(7)^a-^-. 



So, the security 5 is measured by (15) and not by (7). Notice that for o » u 
we obtain e « 1 and s w 0. This corresponds with our intuition; if Eve is able 
to construct a set U of typical sequences y f^ven Zi = z then Yi G U with 
probability dose to one and Eve is able to reconstruct Yi^Xi^K. 

Smce K only contains a bits of security, Alice and Bob should compress K 
to 8 bits. This is caUed privacy amplification (C97]. In general, multipKcaUon 
with a random binary mxs matrix leads to a key of 3 bits about which Eve 
has only negligible information (CH77]. Of course Alice and Bob can also use a 
hash function [MvOV96]. 

Combination of (6) and (15) gives the secrecy rate of Alice's and Bob's strat- 
egy; 

JJuab^ ""^^^^ ^ ^^"^ capacity with public discussion 

Cs = m{h2{p + q 2pg) - h2(p)) 

bits per vector of m bite. In this example, the secrecy rate of Alice and Bob does 
not ©merally unprove^ C^. Notice that Ahce and Bob's secrecy rate gets better if 
Bob has comp utational power to evaluate A(.) and construct a set U for himself. 

* ** ^^^^ '^Vroves if Eve has no computing power at aU» that is 

S^-wT / f^.?^ ^ improvement for « 1/2 or for p < ti with m = 
<loga M)/h2(u). If = 0 then s = m/iato) and for small p and m l/p we obtain 
(I - p) « = (1 - ,np + 0((pm)^))mh2(q) and = m{k2{q) + p(l - 2q) log^ i=a - 
plog.p+OCp^)). Hence. (l-p)-3^a. = pm(- log, p-(l-2«) log, ^^mh^lg)-^ 
0{pm )) which is positive for nK - log^p and p smaU enough. 



The technique with one-way functions shows that for Wyner*s wire-tap cbannd 
with hinaiy ^ynunetric channels a simple strategy is possible and that we can 
prove its security (see Section 5.2 for a numerical example). It remains unsolved 
when shnple strate^es involving one-w^y functions improve the secrecy capacity 
^th public discussion. ^ j 

Notice that the BCC with public discussion in which computational security 
IS aUowd maJces no sense. If cryptography primitives are aUowed then the pubKc 
channel Itself can be used to share a secret key, see for example Shamir's no-key 
protocol [MvOV96], In the BCC only Alice can transmit messi^ to Bob ov«r 
t^e noisy channel. Therefore AUce can autiienticate hersdf by using the noisy 
channd to teansmit a sensible message encoded and encrypted with the secret 
key. The difference with our model is tiiat anyone (not just Bob) who has a 
profile close enough to Alice's profile should be able to learn the k^. 

a final remark we notice that Lemma 4 can be used to generalize Lemma 
3 m Section 3.2. 

Lemma 5. (^*, ^i), 1 < i < n, independenUy distributed pairs of random 
vartables. Suppose (fta^ Eve has the computational power to perform uptoM>l 
evaluations of the one-way function hQ, log^ M < ir(^i). Then, in the protocol 
tn Figure 3, Eve obtatns at most 

bits of information about KA. 

^^Z't' "^t}^ 5 = hi Lemma 4. Eve is able to construct a set Ui 
of size iWj ^ Af for which Eve knows Su, (Ai). By Lemma 4, 

where 

e« = P(tfui(X<) ^llEi^z), 
This proves (notice that h2ix) is Oconvex) 

ff(Ai\Bi,Su,(Ai))>H{AilEi)^eiloe2Mi^h2iel), 

where 

= ^(^u,{Ai) 96?) = P(Ai 6 Ui). 
By usmg the concept of typical sets we observe that 



ej = P(Ai e Ui) <, Jl//2^M«> 



Let 6v{A) = {Su,(Ai),...,SuMn)h Then Lemma 2 with B replaced by 
ESa(A) gives ' 

J(iiri4;£?tfi,(A)P) < /(.4;^5i,(^)) + H(P) 

•=1 

= I{A.E)+HiP) + E (^'^^ + Aa(W2*(^))) 

o 

This lemma can also be used in Section 3.4 to determine the compression 
factor of the hash function Hash. 



5 Examples 

5.1 Hashed Binary Symmetric Channel 

Let us consider the RS-Protocol of Figure 2 and the H-Piotocol of Figure 3, 
where we allow computational security. Suppose that Alice, Bob, and Eve have 
n subvectoxs of length m each, tliat is 

X=(Xu...,Xn), Y^{Yu:..,Yn), andZ^(Zu...,Zn), 

with each Xi, and Zf oontainhig m bits. AHoe uses RS encoding (by repre- 
senting each -X^i as a fltymbol hi GF{2^)) to compute the RS code word 

w = [^ii---jiCib,^i,...,j?r„,jpi,...,p^_i], 

Alice transmits 

= [h(Ki^ . . , , Kk),pi^ . . . J 

or 

= IHKi), . . , , h(Kk), hiXr), . . . , M^„),pi, . . . 

over the public channel to Bob depending on which protocol she uses. In the 
protocol using one-way functions Bob computes h(Yi). Only if hiXi) = h(yi) 



• 



then Alice and Bob know that with overwhehning probability Xi=Yi (that is 
ttie corresponding entries in Nji^ are zero). 

We assume that X is unifozmly distributed and that, given dniZ, X) /, ^ 
is uniformly distributed over 

{Z : dH(Z,X) = \{i : Zi ^ Xi}\ = 1} 
(this assumpUon is used in the derivaticai of (2)). Fbr example, 

and similarly 

Since the probabiUty that hiX^) = h(Zi) is equal to 1 - g, Eve gets to know 
at least 

<£ = n-d + 2 (16) 

subvectors Xi (such that d(X, Z) < d-2) with which she can obt^ informaUon 
about K (see (2)) with probability 

^JS = E - «)^«"~' « 9^inil - q)y^/tB\ (17) 

where the approximation holds for 

(1 - q)n < tB. (18) 
The probability that Bob gets to know at least 

l^^n-^id-l^ k)/2 resp. = n - (d - 1 - fc) (19) 

subvectors Xi (such that duiX^Y) is small enough) with whidi he can recover 
is equal to 

1 - P^B = 1 - X) ( J (1 -P) « 1 -P"(n(l -p))'«- V(*i - 1)!, (20) 
where the approxtmataon holds for 

»(1-P)>*B- (21) 

Notice that conditions (18) and (21) are necessary to achieve small Pb and P^- 
As an example, suppose that the physical system P in the profile m^M^hing 
model generates bmary vectors Z^ and K/ of length m as the outputs of two 
binary symmetric channels with random input Xi characterized hy bit error 
probabilities 0.01 and 0.05 respectively. Suppose that the physical system uses 



l^t^^'''^!''' ^ TP""^ = ^^^i>» ^* = '^W), and Z, = Then 
we obtain the situation described in this section, where v ««i 

P = 1 - (1 - 0.01)"* = 1 - 0.99"* 

and 

= 1 - (1 « 0.05)"* = 1 0.95™. 

Let 

» « 0*^/0.99"* w j9*s/0.95"* (22) 

SIJ a ^ lw» t ^l"^* ^^"^ conditions (18) and (21) axe satisfied. Notice 

^tiLZ 1 7.^^ ' 0 < * < 1. and orVarl < e', for :t > 0. By using the 
approsdmations (17) and (20) we derive » e 

-P^ w (1 - 0.95**)'»(n . 0.96"*)**' 
<6-^««(^ijBr)*«/<fiI 

< (e-'^^)*« (23) 

and 

Pab w (1 - 0.99"*)" (n - O.Qg*")** /t%l 
^c-"*»(a«J)*i/tJ! 

S(e-C-«a)'-. (24) 
See eqaations (16) and (22), *^ = « - d+ 2 = /?W0.96™ - d + 2. hence, 

d-2 = (p/0J9S'"-l)te. (25) 
ance d - 2 Is posiUve for d > 2, this leads to the condition 

"'^^^ = ~^^-^-^fi- (26) 

See equation (Id), 

^ = n - (d - 1 - A)/2 = flrfg^/0.99™ - (d - 1 - jb)/2. 
Combined with (25) this gives 

(^/O-SS™ -l)ts + l-k = d-l-k = 2(a/0.99™ - l)«g«, 
SBnce A > 1, this leads to the condition (use (22)) 

2 . 0.99"" /a - O.Qsrifi > l. (27) 

In parttcular, 0.99"» > 1/2, hence, m < 68. 
See equation (19), 

<fl=n-(d-l-Jfe)= crf^f/O-gS"* - (d- 1 - A), 



Combined with (25) this gives 

OJ/O-QS-" -l)tiEf + l- ifc=d-l-fc = (a/0.99'" - 

In this case we also have the condition km>{d- l)log3Af \rfth Af < m. 
that is 

« 

fc > (d - l)(lofe M)/m = (ifi/OSS^ - l)t^ - M)/m. 
This leads to the condition (use (22)) 

- 0.99"./. - 0.9,Vfi > (28) 

In particular, 1 < a < m0.99"»/log2M, and, since fnO.99"* is maximized for 
m » 99. we obtain log^ M < 35. So, in this parameter setting Alice and Bob 
cannot protect themsdves against an adversary wiUi M > 2^. This shows that 
the protocol which uses one-way functions has its limitations. 

Let us continue with the RS based protocol and fix m = 29 (^ving 0 75 « 
0.99"»).Then condition (27) is satisfied for ^ = 0.8 and a = 1.1 (we check (26)). 
We want Eve's probability of obtaining information about iC to be very small 
for security purposes, say Pb < 2-8° « e-w. xhen (23) gives the restriction 
tB > 2377 and together with (22) we obtain n w i?tH/0.95'» > 8417. We want the 
probabiUty tha* Bob can reconstruct iif to be laxge such that the profile matching 
protocol is robust, say Pab < 0.001 « c^^. Then (24) 0ves the restriction 
tjSr > 2377 and together with (22) we obtain n « a*g^/0.99« > 2198. We take 
n = 8417 and together with (22) we obtain tB = 2377 and t^ = 5718. Equation 
(16) gives d = 6042 and equation (19) gives k = 643. 

We check that (18) and (21) hold; {l-q)n = 1902 < 2377 = and (l-p)n = 
6289 > 5718 = *g^. By u^g Stirling's formula, hiarl « (x + 1/2) hia; - a: In 2, 
we obtain 



« (1 - 0.952»)«4"(84i7 . 0.952^)^^/23771 « e-^°^ 

and 

Pab « (I -0.992®)^"(8417 - 0.99^)^"^/6717l « e"^^^*^. 

The apprcodmations depend on how weU (18) and (21) hold. For example, Pb 
in (18) is described b y a binomia l distribution with average (1 - q)n = 1902 and 
^dard deviation y/q{l - q)n = 38.4. By using a Gaussian approximation of 
the binomial probabiUty distribution (law of large numbers), 

Pb w ^((2377- 1902)/38.4) = 0(12.4) « ^Zj^'^''^^ = e-T9.9 

V2n • 12.4 • 

where 




and 

(1 - < < 

for « > 0 [\ra6]. Similarly, 

i'B « <?((6289 - 5n8)/39.9) = 0(14^) » ^"j^'^^' e-"8 « 

This shows how the approximaUons (18) and (2X) only lead to afirat solution. 

JiXJ^w "JL .™' *° '^"^^ «. d. and * with 65/79 ^= 

0.688 SUA that n = 5794, d = 4157, * = 442, with m = 29, Pj, « e"**^. and 

1 ^ r •• T"" '^^ toy has size ton = 12818 bit^ and 

to SutTlSSrea.'^**" generates nm = 168026 bits In totaL Tl.e secrecy rate 

lbni.„'!^iS!Lf?°*^ * T***^ ^ P"'^"*' based on one-way 

fimctions. H<yTOver, if we allow feedback our scheme becomes more simple 

Aoose m = lOT, such a«t an adversary Eve with M = 2W computing power 

iw/^ - 2 = 1/M of successfully guessing Xi with h{X'\ = &fAi> Thta 
^ "^"^'z P*^' Bvelrn'only get to toowSLSS 
?96"« to oSoSl."' ^ ^^ -^X,^ Z,. This happens with probabiBty 

Bob receiv^ = X, with probabiUty a99»«» = 0.200. This shows that Bob 
«««v^at least = ^ matching Y, = X, about which Eve does not ob^n a^ 
•nformation (that ia^Zi^ Xi) with probaUlity 

^ - E Q ) - «')"-^ « 1 - Q((ti» - 7)n/Vw(l - «;)n). 

where 

to = 0-200 • (1 ^ 0.000273). 

For 7 < ui, 

<?((t»-7)n/V i.(l-«,)n) < e-"("'-rtVfi"'(»-»<')),Atfrii;Y 

•\/2w-(ti» — 

^Jfi^fi^ *° xf"^ * robustness and security of c-« « 2-80, then n(w - 
7)V(2t«(l - to)) « 65 which Is equivalent to n(0.20 - 7)^ « 17.60 and 

7 = 0.20 - y/17.&)/n. 

Bob coimmiidcates the set of positions i with matching = J^, to AUce. Both 
^n^t^."^^^ a hash of the matching part of ti;^ pr^Bles. The h^ 
3^ ^ matchup profil^ to a secret key iiC of «m = Tnm bits. Only with 
probabiLly at most e"*" « 2-m Eve obtains information about K. The total 



number of hits in a profile is nm. Hence, the secrepy rate is equal to 7, which is 
close to 0^0 for large n. For 7 = 0.0763 as in our previous example, n w H50 
and the total number of bits in a profile is equal to 1150 • 160 =s 184000. 

R)r t = 1, we can do exact computations. Bob receives at least t = 1 entries 
1 7t tn°^* ^ information with probabiHty 

i-(l-iw) . We want to achieve a robustness and securily of 2-«® 5= (1 - to)'* 
™cing n = 35 gives a solution where Ite total number of bits in a profile is 
equal to mn » 5600 bits and the ^ of JiT is m = 160 bits. 

5.2 Binaiy Symmetric Chamiel 

Suppose that the physical system in the profile matching model generates hi- 
nary vectors Y = (Yi Yn) and Z = of length n ^he output 
t^^u^'^'' chaimds with random toput X - (X^ Xn) and char- 
acterized by bit error probabilities p = 0.01 and ^ = 0.05 respectively. Suppose 
AJce and Bob use the RS based protocol of of Figure 2 to share a secret W 

"*= no&(* + n + d-l)l ^29) 

and consider a [A + n + d - l,fe + n,^ rs code over C?F(2-). AHce uses RS 
encodixng to compute the RS code word 

(notice that the bits Xi are embedded as elements in GF{2r)). AUoe transmits 

/ = [h(Kij . . . , Kk)tpi^ . . . 
over the public channel to Bob. 

w ^a^i:^ iTd - Siiva'iet" ^ °" 

<fl=n-(«f-l-A)/2 = (i-^)„ (30) 
with 1 _p> xbea Bob can leconstruct W with probabiUJy 

« 1 - - pWVp(i-p)») 

V^(7-P)v^ • ^^^^ 

Brom (29) and (30) we infer that 



= nog2(2A: + (1 + 27)»)1 



(32) 



Suppose Out ABce and Bob want to adiieve Pab < 0.001 « c"'. Then, accord- 
mg to (31), we need to choose 

«{7-p)V{2p(l-p))w7, 

that is, 

7 = 0.01 + ^0.1386/n. (33) 
Notice tiiat we cannot use Lemma 1 because the assumption on the distri- 
butaon of Bve»s profile does not hold. Instead we use Lemma 2, which says that 
Bve obtains at most 

I{Xi Z) + H(P) = (1 - ha(q))n + (d- l)m 

Mts of information about KX. After Bob has reconstructed KX, both AHce and 
Bob use privacy amplification to distill from KX 

H(KX) - ((1 - A2(«))n + (d - l)m) 
= (*m + n) - ((1 - fca(ff))n + (d - l)m) 
= hi{q)n - (d - 1 - h)m (34) 

scCTet key bits. In combination witii (32) and (33), (34) is ».i>v^iwil fitr ft « 0 
and equal to 

(0.28? - (0.02 + 0.746/V?i)noa,(1.02 - n + 0-745 • v^l)i». 
If we want a positive numberof secretkejrbits then 0.286 > (0.02+0.745/^^ 
^^^n%I^F%.''rJ' f^°62(102 . n + 0.745 • V5J)1 > 4. Notice that 0.286 > 
i M + 0.745/^ . 4 for n > 210. Fbr n > 210, {log^{im • n + 0.745 • 0i)l > 
8. Notice that 0.286 > (0.02 + 0.745/ v5J) • 8 for n > 2238. Jbrn > 2238. 

« I'SV,,* V" ^^1® -r. *^ > (0 02 + 0.745/v5i)" 12 fo^ 

n ^ 37772. Fbr n > 37772, noga(1.02 - n + 0.745 -/S)] > 16. There does not 
o^t n such that 0 286 > (0.02 + 0.745/ V?I) • 16. So, tiie protocol based on 
na codes does not lead to a solution. 

Our fieedbadc strategy ^ves a simple and practical solution. We wiU use 
Corollary 1 to prove its security. Let Eve's computuig power be represented by 
n ^ " o^Z witi, tt < g. For example. « = ,/2 = 0.025 with h^in) = 
0.169 and ra = 80/Aa(«) = 474. Wfe derive 

e « Q{(q - tt)>/TO/Vi(rr^) = Q(3.486) < e'^^o'/^/y/i^ . 3.486 = 0.000263. 

^ "^^^y «b°«t (^1, - ,^™) given her 

nZ ^^A • (^1. • • . ^n.) is approximately equal to Aa(9)m = 

0.286 • 474 = 135 bits. This means tiiat Alice and Bob can use privacy amplifl- 
cation to distill 136 secret bits. 

The probabflity that Bob receives a string of ro = 474 bits K = A" is 
"«,?r = O OO®*^ Suppose that Bob receives n strings of m bits. Then 

P«>]«Whty that none of tiie strings matches witii the corresponding strings 
recfflved ly ABoo is equal to (1 - 0.00853)". If we want this probability to be < 
0.001, we need to take n = 807. Summarizing, Alice and Bob need mn = 382518 
bits to attract a of 135 bits. 



6 Applications 



6.1 Biometries 

Kgure 4 depicts the model for biometrics as introduced in |LT03,VTD+03l The 
Physical systeni J> measures Alice's fingerprint JT. Ih the set-up phase Ali<ie uses 
P to measure her fingerprint JT. Like in Figure 3, the resulting measurement 
A u used to compute I = [H, ft^.p^J. The first part of / consisting of ^ = 

!!r^^ ^ *** fito"^ these values in a database. 

Smce the diAaba^ only contains images of one-way fimcUons, the security is not 
compromised if the database is publicly accessible. 

B^'s ATM machine may measure Alice's fingerprint X a second time. Tliis 
ff"^!^ ttie measured fingerprint B. Since ^ and S are different measurements 
at different tun^ using possibly different measuring devices, A and .B are m 
general not equal to one another. Since yl and are measurements of the same 
fingeiprmt .y. d(A,B) is small. This means that Bob can use our solution to 
reconstruct K and chedc its commitment H = h{K). 




J 
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Database: 
I I 
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^ = A(P(0)) I 
ft^ = [A(oi ),.,., /i(a„)] 



Fig. 4* Model for biometrics. 



In biometrics the role of Eve is of an adversary who tries to obtain copies 
S'tl^S^* by using for example a disposed oofiee cup which contains 

cJiSil^L*?^ ataaytimeAUcemayuseAto compute a new and a new 
commitment H corresponding to a new K. If Alice transmits to Bob the new va 
^ the new commitment H, then Bob can update its database and AUce tmd 
Bob can start using the new K. 

ttS^r^^^'^^S^'"^^ *°}^^ presented in {LT03,VTD+03J in that funo- 
wm G{I, B) (see Figure 3 for its definiUon) is 



~ S!I1*T**^'^? arbitrary given value of Jif and any arbitrary pro- 

ffl« ^ and S with d(A, B) small enough, its Is not computationally difficult 

to lulu &1; leAJsr f%na vnina T i-U^a 



to find at least one ^ue / such that 



and 



- rei/eo/m^, that is for any ^ it is not computationally difficult to find a vahie 
of 7 such that I oTdy reveals a negligible amount of lnfi»nnation about K = 
« if j.!rfi;. this means that it Is computationany difficult to obtain 

a sigmficant amount of mfiarmation about K given /. In tLT03.VTD+O3l the 
model M resteicted to information theoretical security. The point of this 
S?Si** » ^ ^ aBowing computational security we obtain simple 

See ILT03. VTD+03I for a deep discussion on contracting and revealing functions. 
6.2 Plqfsical Random S^imctions 



fGC+02a] introduced the concept of physical random fancMons. 
Jh^Jf^ ^^"^ ^^""^ ^^"^ *« be a function that maps 

as S^'S^^L^SSir ^-^"^ *^ 

^' * polynomial number of plausible physical mea- 

surments (m particular, determination of chosen challenge-response pairs). 

nual amount of resources (time, matter, etc-.) can only extract a neSte 
amount of information about the response to 1 randoiySL 

Jtottds definition the terms short and polynomial are relative to the size of the 
iZf: ^ ^ -^^ f^"^*^ parameter. In particular, short means linear m toj 
d^ee polynomial. The term plausible is relaUve to the current state Vi £l 

m;«^easurement technicpHs and is likely to change as improved 

In p,01J PUFS were referred to as Plqrsical One Way Rmctions (POWFs) 
Si^St iSif inic««tructures and coherent ^Sa^ 

^^fj^i^^l^Gt^] this terminology is confusing because PUPs do 
not matA the standard meaning of one wqt functions fMvOV96l. A PUP is a 

^XSr**"" " ^ *° reconstruct the physical s^l.; 

not reqmre g omg from the response to the challenge to be hard. Pbr a POT, 

" ^^'^^ Undonable Rmction. ft has the advantage of bdwr 

easier to prtmounce. and tt avoids confusion with Pseudo-Random Rm^,f ^ 



aU tiiat matters is that gc^ firom a chaUenge to a response without using the 
device is hard. ® 



In Figure 5 an optical PUFplOl] is einbedded in a smartcard.!^ 
the role of the physical system P in the profile matching model and is used for 
auUienbcation and identification. During a secure bootstrapping phase in wUch 
Bob IS m physical contact with the smartcard, Bob receives challenge response 
pairs. Figure 6, C is such a chaUenge and B is its corresponding response, 
were, C represents a laser beam characterissed by its angle and frequency 



Bob 



\ 



Optical PUF: 




3-DimBiirional micro a UuctuiBa 
and coherent radiation. 



Smartcard 

Lo^cal 
fiuictioiialitjr: 



AUce 



Ontpnt encrypted with K 



Fig. 6. Modd for an (tptical POT within a smartcard. 



Some time after the bootstrapping phase one of Bob's ATM machines may 
want to securely communicate with the smartcard. Bob's ATM machine gives the 
ChaUenge C to the smartcard and the physical j^stem computes aoorre^nding 
response A. Due to environmental and measurement noise >1 and jB may be 
diff^ent. The PXJF represented hy the physical system is not » function to the 
mathematical sense, it is a statistical process. Rirthetmore, an adversary may 
^ to build a softMM model of the physical system and may try to extrart 
us«M mtomatioa from other smartcards with simUar PUPs. lii conclusion, to 
areata a secure function we need profile matching. Btor example, the chip within 
ttesmarteMd (represented by ABce) generates an arbitrary key K and creates a 
code word W based on K and A. The chip computes the corresponding message 
/which IS transmitted to Bob, who can recover JiT if the responses ^ wid B a*e 
Close enough to one another. An adversary who uses a software model and other 
smartcards to create a simulated response E cannot obtain any information 
about K because A and £ will be for enou^ i«>art. 

AftZ^f '^""^ of a PUP wi«»in a smartcard is that it is not clonable. 
After losiqg the smartcard you can stiU use it securely as soon as you find it 



aeain. Bob only identifies the PUF linked to the smartcard. lb identify the 

owner of the smartcard vre may want to inergB the smartcard irfth biomet^ 

After procesdng the incoming beam, we may extend the optical PUP»s fimc- 
tionaBJy to represent the outcoming pattern as a binary vector and to perfiMm 
a post-hash. In SecUon 5.1 we discussed a profile matdiing protocol for such 
a physica] system. The parameter p models the worst allowable environment 
ami paramettt q modeb the best attacking model (uatog multiple other smart- 
cards and software modeUng). Notice that protection against the best attacking 
model guaraatees enough inter-PUF variations; PUFs are uniquely identified S 
we are not aMowed to perform a posfr-hash, tiien we need the solution described 
in oection 5.2. 

. ■^^nT^^if^'TT^ (^^^^B) totroduced. Individual integrated 
cults (ICS) are identified based on a prior delay characterization of the IC. While 
IC s can be reliably mass-mamifoctured to have identical digital logic fimction- 
aUy, «adi IC js unique in its delay characteristics due to inherent variations 
m manufacturing across diflbrent dies, wafers, and processes. While digital logic 
S^^Tif^ Jtoring constraints being met. dififerent IC's with tiie ex^et 
same digital fonctranahty wlU have unique behaviors when these constraints are 
not met, because th^ delay characteristics are different. In [GC+OSl a fcey-caid 
apphcation w described and it is shown that there is enough inter^ldp variation 
torehabfy identify FPGA's. In [GLC+] the security is farther analysed. SoS 
ware moddmg based on machine learning algorithms leads to a bctoc higher bit 
error probabiKty compared to tiie bit error probaUUty due to envirantoental" 
and measurement noise. The solutions in Section 5.1 need hi tiie order of 5 • 10» 
challenge response pairs. Sinoe SPUFs need about 100ns to compute one chal- 
lenge rraponse pair, our solutions need about 1 second to generate a reliable and 

Gassend et al. IGC+02bJ defined a PUP to be Controlled (CPUF) if it can 
on^ be accessed via an algorithm that is physically linked to tiie PUF in an 
iiisq)aral>le O^e., any attempt to circumvent tiie algoritiun wiU lead to tiie 
destruction of the PUP). In particular this algorithm can restrict tiie challenges 

S .^^.P'^f *o «»e PUP and can limit the information about respond 
that IS given to the outside world. 

.h^.'^i,^'^^ i" control turns out to be the fundamental idea 

aat^ows PUPs to go b«grond shnple autiienticated identification applications. 
«^\!:.J^ IH^T** ^ tamper-resistance, anonymous computationi^. 

and tnuted tUrd party computation" with applications in certified executioil 
and software-hcensmg. Control enables tiiese appUcations by trusting only a 

i" ^P«atnw and voltage variations. There are no results on effects. 

rfrf.!^f ™" «»°»I»'ta«on8 on Bob's computer, and wants to nwlce sure that 
she IS getting correct results. A certificate is returned witii her results to show tiuil 
-they were correctly executed. 

"^f^^J^^ to nm. They rua it on a chip that thqr botii trust 

i^!^!^. -. ^h ^"^^ confidential faifonnation 

knowing that it won't leak the inibrmation. 



mgloKOup processor that contains a PDF. In other mrds. the PUP contains the 
/^^^ °" security of these implications is be based" 

CTTOs use pre-hashes. this aimids successful attacks by using other CPUF^ 
to^ information about the response. CPUFs use post-hashes, tUs makes model 
bidWtog unpossible. Therefore, there is no threat of a maUdous Eve. We only 

Snfiif^,?-^- fv^ ^"^^^ ^ ^^^^ should not be wrongf 
rfmbfied. This w the profile matching model in which Eve has no additi^ 

computational resources (M = 0). This means we can use aqy of our protocds. 
7 Concluding remarks 

ml^^:,,"^^ reliability and security of, and gave solutions for profile 
matdung m the presence of an adversary. If the adversary has a finite amount 
aL^^f-f? ^ "se one-wiv functions. The most practicS 

awi^n to date is ply^ r^om fimctions. Ibgether with the 

SStlX^^'' ^"-^ ''^ ^ * Practicaf soluti^J 
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A Summary 

1. Suppose ^ Alice receives (Xi, .... X„) and Bob receives (y, , . . . , y„). Let 

be a function which is easy to evaluate but for which its inverse is hard 

to compute. Then Alice may transmit (h(Xi) h(Xn)) to Bob to create 

mi erasures channel. That is. Bob computes and if A(yj) ,t MXA then 
Bob taows that Yi Xi and he assigns an erasure to i;-. If h(Yi) = MXA 
th^ Bob knows that y, = Xf. The erasure infomaUon can be used by Bob 
m higher layer error correction schemes to reconstruct the complete vector 

2. As hi 1, but now Bob computes a set Ui (possibly based on Yi) and he 
f^^^^ each ^ € t/,. Bob compares the evaluations h(Z) with 
i^Xi), U Xi € Ui then Bob will find a jgT such that h{Z) = h(Xi) (hence 

t ^l^i^^'K^^^ ^ ^i'^^i i fcl^en Bob win not find a Z 
sucti that h{Z) - h{Xi) and he assigns an erasure to IJ. 

3- In 1 or 2, Alice may encode {h{X^ ft( jr„)) into a code word 

(h{Xi), . . . , h(Xn),Pi, . . . 
of some error correcting code, and AHce may transmit (Pi Pa ,^ in- 

ir«fii: VV/i- r'^^'^V;.* V^-*^ ^ ^ * decoding algorithm to recon- 
Bwuct WJ^U,.-.,A(;r„),Pj,..,,Pj„4). Now Bob proceeds as described in 
1 or 2. 

^ ^ i-' ®** ™^ transmit to Alice the set 5 of indices » for which = 

M,Xi). Tbea Alice and Bob both know 5 and they can use (ATiWs s 

to extract or generate for example a shared secret key. 
5. to 4 allied to 1 or 2, AUce and Bob may rec^ unordered sets {Xu...,X^\ 

^^\^? ^ ^ * sJ** proceeds 

^ «.l to transmit ((/.(Jti). . . - ./•(Jf„)). Then Bob oomputes as in 2 the set 

«idh a 5 to y r a Z with = h(Xi) (as to 2 he assigns 



6. to 4 or 5, Bob may also transmit K + Ha8h(y, : < 6 5). AUce receives 
K + Hash(y« : t € 5) and subtracts Haah(^, : i e S) leading to K. This 
procedure leads to a shared secret hey K between Alice and Bob 

7. to 4 or 5, AUce may transmit Jif + Haah(A^s : « € 5) after haviiig recdved 
5 from Bob. Then, Bob receives K + Ha8h(X^( : i e S) and he subtracts 
Harti(y; : » 6 5) leading to K. This procedure leads to a shared secret kear 
A between Alice and Bob. 

8. Suppose that Alice reodves (Jfi,.. ., Jr„) and Bob receives (K.—.K.). lb 
gen^ate a secret kqr Alice encodes (JiT, K^,Xr Jf„) into a code 

i A.. ''*■' '* *'■*■' *^ some error correcting code, 

and Alice transmits (J»i,...,Pj_i) to Bob. Bob constructs 

(?>•--.•» 11, 5n, , ... , Pd_i) 

(where ? derotes an erasure) and uses a decoding algorithm to retrieve 
K'^U'",Ak,Xi, . . .,Xn,Jh, . . . ,Pa-i). Then AUce and Bob both know 

they use to extract or distill a shared secret (this is called privaar 
ampbncation). ' 

9. to 8, we may use a RS code. Fbr example, if the Xi and are bits we may 
group them mto m-bit symbols representing elements in GF(2'") or we mar 
S^ir* * '^'^ 0 <» 1 « G^'(2«»), and we use a R8 code ow 

10. In 8, priwy amplification can be accomplished by left-mulUidication of a 
random (* + n) xa matrix to distiU a bits. Or Alice and Bob can use a hash 
function. Or, if RS codes are used, Alice and Bob distiU (JTj , . . . , JT* ) as the 

11. p»eMgher layer codbig scheme which makes use of the erasure channel as 
lo 2?^**"*. *° h?' ^» 5' 6. or 7 can be the one as described in 8, 9, or 10. 

12. The previous ideas (1 to 11) can be applied in biometrics, see Section 6.1. 

" ^j*® ^PP"*®^ *« "»ate PUPs reliable and secure, see Section 6 2 

13. to 12 for controtted PUFs we may adapt the GetResponse and GetSecret 
prmutive to match our ideas. Fbr example, both primitives need to imple- 
ment decoding al^rithms (in for example 8, 9, and 10) or extra output (set 
;y m 4, 5, 6, and 7). ^ 

14. to 12 for PUPs used for identification or authentication, the PUP will identify^ 
oratithenticate itself by proving (to a secure way) that it knows the shared 
secret key which was generated our ideas. 



